Healthcare Data Breach Reported by Mulkay, BHS Physicians Network, Life Generations Healthcare, Cadence Bank and AlohaCare

Mulkay Cardiology Consultants at Holy Name Medical Center reported that it encountered a ransomware attack that was discovered on September 5, 2023 after noticing the encryption of files on its network. Mulkay mentioned on its breach notice that it had rebuilt its systems and restored the encrypted files using its backups.

Third-party forensics experts investigated the incident and confirmed the compromise of its systems from September 1, 2023 to September 5, 2023. Files that were extracted contained personal data and protected health information (PHI). The breached data included names, birth dates, addresses, driver’s license numbers or state IDs, Social Security numbers, medical treatment data, and medical insurance data. Mulkay stated it has improved its technical safety measures to avoid the same incidents later on. Impacted persons were informed and provided free credit monitoring services.

The breach report was submitted to the Maine Attorney General indicating that 79,582 individuals were affected. The breach is not yet posted on the HHS’ Office for Civil Rights breach website, so the number of affected patients is still uncertain. Though Mulkay has stated that this was a ransomware attack, it was not mentioned which group was responsible. But it seems to be an attack by the NoEscape group, according to the Health Sector Cybersecurity Coordination Center (HC3) analyst note. Although NoEscape mentioned on its data leak site that it stole about 60GB of data, which includes the personal data of 30,000 patients, that information was already deleted, which often means that a ransom payment was likely made.

Email Account Breach at BHS Physicians Network

BHS Physicians Network recently reported a breach of a business email account hosted by Microsoft Office 365 that a medical assistant used. The email account breach was discovered on August 11, 2023. Based on the investigation, account access possibly occurred from July 28, 2023 to August 15, 2023. The email account included files with the PHI of patients of Georgia Northside Ear, Nose, and Throat, First California Physician Partners, and Greater Dallas Healthcare Enterprises.

According to BHS Physicians Network, its internal network and systems were not impacted by the breach. On August 30, 2023, it was confirmed that the account included demographic data like complete name, birth date, and address, medical and/or treatment data like dates of service, names of provider and facility, procedure codes, and billing and claims details, like account and/or claim status, patient account identifiers, transaction and charge ID numbers, and payor details.

BHS Physicians Network stated it improved security and monitoring functions and it toughened systems to stop identical breaches later on. The breach report was submitted to the HHS’ Office for Civil Rights indicating that 1,857 individuals were affected.

Email Accounts Breach at Life Generations Healthcare

Medical group Life Generations Healthcare (LGH) based in Santa Ana, CA recently reported unauthorized access to several employee email accounts from May 24 to June 13, 2023. It was not mentioned when the breach was discovered, but LGH stated that the breach investigation confirmed on October 4, 2023 that there were breached accounts that contained the PHI of patients. The breached data differed from one patient to another and could have contained names, addresses, birth dates, medical data, medical insurance data, driver’s license numbers/state IDs, Social Security numbers, and financial account details.

LGH sent notification letters to the impacted persons and patients whose driver’s license numbers and/or Social Security numbers were compromised and offered free credit monitoring and identity theft protection services. The incident is not yet posted on the HHS’ Office for Civil Rights breach website so the number of affected individuals is still uncertain.

Cadence Bank and AlohaCareAffected by MOVEit Transfer Hacking

Cadence Bank has reported having been affected by the hacking of the zero-day vulnerability in the MOVEit Transfer solution of Progress Software. The bank stated that it applied the patch immediately as soon as Progress Software made the patch available, but vulnerability exploitation and data theft already occurred. Cadence Bank is the lockbox services provider to North Mississippi Health Services and its affiliates. On June 18, 2023, the bank reported that patient data was affected including names, addresses, birth dates, driver’s license numbers, Social Security numbers, medical insurance data, medical and/or treatment data, and billing and claims data.

Cadence Bank stated it has improved security and monitoring measures and toughened system security. Free credit monitoring services were provided to those whose driver’s license numbers, Social Security numbers, and/or financial account data were affected. The breach report was submitted to the HHS’ Office for Civil Rights indicating that 13,862 individuals were affected.

Community-led non-profit health plan AlohaCare based in Honolulu, HI has confirmed the compromise of 12,982 members’ data in the exploitation of a zero-day vulnerability in the MOVEit Transfer solution. AlohaCare applied the patch as soon as it was available, however, the exploitation already occurred. The stolen data included names, addresses, birth dates, and Social Security numbers. Impacted persons provided free credit monitoring services.

Ransomware Groups Responsible for Unconfirmed Attacks on Healthcare Companies

Summit Health and Cardiovascular Consultants were recently included on the data leak websites of ransomware groups. They have not confirmed the ransomware attacks nor the leaked data.

Summit Health (LockBit 3.0)

Multi-specialty medical practice Summit Health based in Berkeley Heights, NJ with over 340 locations was recently included on the LockBit 3.0 data leak website. The ransomware group told Summit Health that it has until November 8, 2023 to pay the ransom or it will publish the stolen information. Summit Health did not confirm the attack nor reported a data breach. There was no mention in the LockBit 3.0 data leak site what information was acquired in the attack.

Cardiovascular Consultants (Quilin)

Cardiovascular Consultants in Arizona seems to have suffered a ransomware attack. The Quilin group recently added a 205.93 GB file on its data leak site, which was data stolen in the attack. As of November 8, 2023, the link to the file is not working and cannot be downloaded. There is no statement from Cardiovascular Consultants yet about the validity of the group’s claim.